HackTheBox - Developer

Name: HackTheBox - Developer
Uploaded: 2022-01-15T15:18:58Z
Channel: IppSec
Description: 00:00 - Intro 01:04 - Start of nmap 03:00 - Examining the web page, noticing every URL with admin gets redirected to a django login 05:00 - Creating an ...

IppSec · Beginner ·🔐 Cybersecurity ·4y ago

00:00 - Intro 01:04 - Start of nmap 03:00 - Examining the web page, noticing every URL with admin gets redirected to a django login 05:00 - Creating an account and looking at the page to discover CTF Challenges 06:15 - CHALLENGE 1: Phished List, a protected excel spreadsheet. Remove protection to see hidden cells 11:50 - Submitting a writeup, discovering an old version of Firefox talks to us 14:00 - Checking for Tab Nabbing vulnerability and explaining it 17:30 - Creating a phishing page by mirroring the page with wget and then using PHP to log submitted credentials 29:30 - Phishing worked, go…

Watch on YouTube ↗ (saves to browser)

Chapters (22)

Intro

1:04 Start of nmap

3:00 Examining the web page, noticing every URL with admin gets redirected to a dja

5:00 Creating an account and looking at the page to discover CTF Challenges

6:15 CHALLENGE 1: Phished List, a protected excel spreadsheet. Remove protection to

11:50 Submitting a writeup, discovering an old version of Firefox talks to us

14:00 Checking for Tab Nabbing vulnerability and explaining it

17:30 Creating a phishing page by mirroring the page with wget and then using PHP to

29:30 Phishing worked, got the admin's password. Login to Django to see another webs

33:00 Creating an error message in Sentry to get an error message, which contains a

36:10 Grabbing a django deserialization payload then installing django on python2 to

40:15 Changing the payload in the exploit to a reverse shell, avoiding any bad chara

41:30 Setting up the reverse shell in a way that works with ZSH, just need to do stt

46:13 Logging into Sentry Postgres Databae then enumerating tables and dumping the u

52:25 Discovering Karl can execute the authenticator binary with sudo, strings shows

56:55 Examing the binary in Ghidra

58:55 Discovering a call to Crypto::AES::CTR, using the rust docs to figure out what

1:01:22 Showing that AES-CTR does not have defined block sizes

1:05:00 Using GDB to help our analysis, showing how to setup break points around what

1:10:36 Examining memory to confirm our static analysis was correct

1:11:15 Grabbing the encrypted blob the program is comparing against to get the passwo

1:15:40 CHALLENGE 2: PSE, an dotnet binary that runs a uses PS2EXE to run powershell t

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →